Secure Software Lifecycle Professional – CSSLP – Question223

Which of the following test methods has the objective to test the IT system from the viewpoint of a threat-source and to identify potential failures in the IT system protection schemes?

A.
Security Test and Evaluation (ST&E)
B. Penetration testing
C. Automated vulnerability scanning tool
D. On-site interviews

Correct Answer: B

Explanation:

Explanation: The goal of penetration testing is to examine the IT system from the perspective of a threat-source, and to identify potential failures in the IT system protection schemes. Penetration testing, when performed in the risk assessment process, is used to assess an IT system’s capability to survive with the intended attempts to thwart system security. Answer: A is incorrect. The objective of ST&E is to ensure that the applied controls meet the approved security specification for the software and hardware and implement the organization’s security policy or meet industry standards.